This article recently published in the Worcester Telegram & Gazette highlights the dangers of shared user accounts, open kiosks and weak authentication protocols.

Computer access breach exposed UMass Memorial pay stub data

By Lee Hammel TELEGRAM & GAZETTE STAFF

WORCESTER —  Personal pay stub information of some UMass Memorial Healthcare employees was subject to unauthorized access for five months. 

The organization learned March 10 that at 10 kiosks where employees could view their pay stub information, and also at shared workstations, subsequent users were able to access the information of previous users, according to Rob Brogna, UMass Memorial spokesman. Upon confirming the problem, UMass Memorial removed the kiosks from use, he said.

The day after the breach was discovered, UMass Memorial applied a systemwide software change to disable the pertinent setting on the organization's HRConnect application, he said. On March 16, the direct deposit bank account number was redacted from the information on HRConnect, and subsequently the 10 kiosks were returned to the campuses for employee use, Mr. Brogna said.

The personal information potentially exposed included name, bank name, bank transit number and bank account number. The breach did not involve employee Social Security numbers or medical record or patient information, he said.

Only UMass Memorial employees who accessed HRConnect using the kiosks or a shared workstation between Oct, 7 and March 11 are potentially affected by the breach, Mr. Brogna said. What portion of the 13,500 employees of the health care system was affected was not available last night.

UMass Memorial has no reason to believe that any of the personal information on HRConnect has been misused, according to Mr. Brogna. Nevertheless, UMass Memorial is notifying all potentially affected employees of the incident.

The organization is offering potentially affected employees reimbursement of the costs to institute a security freeze with the three national credit reporting agencies, Mr. Brogna said, and is also offering one year of free credit monitoring through TransUnion Interactive.

“UMass Memorial deeply regrets this incident,” Mr. Brogna said, and “is continually evaluating and modifying its practices to enhance the security and privacy of all confidential and sensitive information entrusted to it.” 

http://www.telegram.com/article/20110412/NEWS/110419891/1116

As of late, Tools4ever has been implementing more solutions on the healthcare market and I wanted to take a look at our clients and ascertain if there are common issues that this market sector needs to address.  Not surprisingly, the issue above was a common themes with a number of these accounts.

Shared User Accounts

One of the top reasons for implementing Identity Management in healthcare is the need to eliminate the “shared” accounts.  Quite frequently, all the nurses on a floor will have one or more shared computers. Everyone utilizes the machine utilizing a common, generic account.  The issue becomes security and privacy.  It is impossible to restrict access or determine who is doing what and when.

Identity management solves this issue typically by linking an HR application to the Active Directory and creating individual logon accounts. Fast user switching, available in Vista and 7 makes this a quick process for busy healthcare professionals.  Further, the Tools4ever Single Sign On product allows for credentials of users to be provided automatically fro authorized applications when utilizing fast user switching.

For more information, please visit: http://www.tools4ever.com/products/user-management-resource-administrator/